Details

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Impact:

Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Console:

Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

Select the Check box next to the Bucket.

Click on ‘Properties’.

Click on Default Encryption.

Select either AES-256 or AWS-KMS

Click Save

Repeat for all the buckets in your AWS account lacking encryption.

From Command Line:
Run either

aws s3api put-bucket-encryption –bucket –server-side-encryption-configuration ‘{‘Rules’: [{‘ApplyServerSideEncryptionByDefault’: {‘SSEAlgorithm’: ‘AES256′}}]}’

or

aws s3api put-bucket-encryption –bucket –server-side-encryption-configuration ‘{‘Rules’: [{‘ApplyServerSideEncryptionByDefault’: {‘SSEAlgorithm’: ‘aws:kms’,’KMSMasterKeyID’: ‘aws/s3′}}]}’

Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3416

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system amazon_aws.

References

• 800-53|IA-5(1)
• CSCv7|14.8

Source

• Tenable.com/audits